From 2db648b0adeea9e2c101e985fd7645f260fff859 Mon Sep 17 00:00:00 2001 From: Ivaylo Novakov Date: Thu, 10 Mar 2022 18:11:37 +0100 Subject: [PATCH] Nginx passes Skynet-Api-Key and Authorization headers at all spots where it passes the Cookie header. --- docker/nginx/conf.d/include/track-download | 6 +++++- docker/nginx/conf.d/include/track-registry | 10 +++++++--- docker/nginx/conf.d/include/track-upload | 6 +++++- docker/nginx/conf.d/server/server.api | 10 +++++++--- docker/nginx/libs/skynet/account.lua | 10 +++++++--- 5 files changed, 31 insertions(+), 11 deletions(-) diff --git a/docker/nginx/conf.d/include/track-download b/docker/nginx/conf.d/include/track-download index 606c98ad..0bd74dad 100644 --- a/docker/nginx/conf.d/include/track-download +++ b/docker/nginx/conf.d/include/track-download @@ -11,7 +11,11 @@ log_by_lua_block { -- 10.10.10.70 points to accounts service (alias not available when using resty-http) local res, err = httpc:request_uri("http://10.10.10.70:3000/track/download/" .. skylink .. "?" .. query, { method = "POST", - headers = { ["Cookie"] = "skynet-jwt=" .. jwt }, + headers = { + ["Cookie"] = "skynet-jwt=" .. jwt, + ["Authorization"] = ngx.header["Authorization"], + ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"], + }, }) if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then diff --git a/docker/nginx/conf.d/include/track-registry b/docker/nginx/conf.d/include/track-registry index 8c69172b..ac981466 100644 --- a/docker/nginx/conf.d/include/track-registry +++ b/docker/nginx/conf.d/include/track-registry @@ -7,16 +7,20 @@ log_by_lua_block { local httpc = require("resty.http").new() - -- based on request method we assign a registry action string used + -- based on request method we assign a registry action string used -- in track endpoint namely "read" for GET and "write" for POST local registry_action = request_method == "GET" and "read" or "write" -- 10.10.10.70 points to accounts service (alias not available when using resty-http) local res, err = httpc:request_uri("http://10.10.10.70:3000/track/registry/" .. registry_action, { method = "POST", - headers = { ["Cookie"] = "skynet-jwt=" .. jwt }, + headers = { + ["Cookie"] = "skynet-jwt=" .. jwt, + ["Authorization"] = ngx.header["Authorization"], + ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"], + }, }) - + if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then ngx.log(ngx.ERR, "Failed accounts service request /track/registry/" .. registry_action .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body)) end diff --git a/docker/nginx/conf.d/include/track-upload b/docker/nginx/conf.d/include/track-upload index 340dd437..53795d55 100644 --- a/docker/nginx/conf.d/include/track-upload +++ b/docker/nginx/conf.d/include/track-upload @@ -10,7 +10,11 @@ log_by_lua_block { -- 10.10.10.70 points to accounts service (alias not available when using resty-http) local res, err = httpc:request_uri("http://10.10.10.70:3000/track/upload/" .. skylink, { method = "POST", - headers = { ["Cookie"] = "skynet-jwt=" .. jwt }, + headers = { + ["Cookie"] = "skynet-jwt=" .. jwt, + ["Authorization"] = ngx.header["Authorization"], + ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"], + }, }) if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then diff --git a/docker/nginx/conf.d/server/server.api b/docker/nginx/conf.d/server/server.api index ce93c669..fc6f7034 100644 --- a/docker/nginx/conf.d/server/server.api +++ b/docker/nginx/conf.d/server/server.api @@ -178,7 +178,11 @@ location /skynet/registry/subscription { -- fetch account limits and set download bandwidth and registry delays accordingly local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", { - headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt } + headers = { + ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt, + ["Authorization"] = ngx.header["Authorization"], + ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"], + } }) -- fail gracefully in case /user/limits failed @@ -267,10 +271,10 @@ location /skynet/tus { if require("skynet.account").is_access_forbidden() then return require("skynet.account").exit_access_forbidden() end - + -- get account limits of currently authenticated user local limits = require("skynet.account").get_account_limits() - + -- apply upload size limits ngx.req.set_header("SkynetMaxUploadSize", limits.maxUploadSize) end diff --git a/docker/nginx/libs/skynet/account.lua b/docker/nginx/libs/skynet/account.lua index 7be6013f..5319f665 100644 --- a/docker/nginx/libs/skynet/account.lua +++ b/docker/nginx/libs/skynet/account.lua @@ -43,12 +43,16 @@ function _M.get_account_limits() if ngx.var.account_limits == "" then local httpc = require("resty.http").new() - + -- 10.10.10.70 points to accounts service (alias not available when using resty-http) local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", { - headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt } + headers = { + ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt, + ["Authorization"] = ngx.header["Authorization"], + ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"], + } }) - + -- fail gracefully in case /user/limits failed if err or (res and res.status ~= ngx.HTTP_OK) then ngx.log(ngx.ERR, "Failed accounts service request /user/limits: ", err or ("[HTTP " .. res.status .. "] " .. res.body))